D-Link Embedded Device Shells
This week, esteemed Metasploit contributor @m-1-k-3 has been at it again with his valiant personal crusade against insecure SOHO (small office/home office) embedded devices with known vulnerabilities. We have a new trio of modules that target D-Link gear, based on the research released by Craig Heffner and Zachary Cutlip, which exploit two bugs present in the DSP-W215 Smart Plug, and one UPnP command injection bug found in the DIR-815.

The research on these embedded devices is really quite solid -- if you're at all interested in this kind of research, you can Craig's excellent notes on his first and second SmartPlug bugs, published in May of 2014, and Zachary's notes on the DIR-815 bug. Following along is now a ton easier with m-1-k-3's Metasploitization of these exploits, too, since you can now see the traffic on the wire if you happen to have one of these routers in your home or lab.

This is the part where I rail about the Internet-of-Things. I'll keep beating this drum because it's not "merely" your home networks that are at risk. If the gadgets are cool and useful enough, you can be sure they will find their way into office spaces across all kinds of industries, making the job of the penetration tester less of an exercise in finding vulnerable devices to target and more of prioritizing which ones should get exploited first.

Nobody updates firmware, ever. Nobody. As long as they're passing packets, and there's no IT department control over these things, these guys will remain vulnerable forever -- at least, until something radical changes in the embedded device space where updates are automatic and routine -- and don't fall prey to Evilgrade-like attacks, which have been around for a few years now.

During the last few weeks a lot of new stuff in breaking embedded devices has arrived. There are some quite interesting vulnerabilities, exploits and some new payloads available.

Linksys WRT120N

First of all Craig Heffner has analyzed the Linksys WRT120N router and he has created a lot of detailed information about this work on his blog. The series of blogposts start with some details about breaking the hardware. Second he shows how it is possible to extract the firmware from the device. Finally Craig has found an interesting buffer overflow vulnerability and he has created a nice and shiny exploit for it. This exploit is able to reset the password for the web-interface of the router. So I thought this would be a quite nice Metasploit Auxiliary module.

The following code is the interesting part of the module – the full code is available on Github.

Within the main function (run) it starts with a first test of the login with the username admin and no password. If this test is successful there is no further need for this module and it is finished:

Disclaimer

The views expressed on this site are my own and do not reflect those of my current employer or its clients. This "work" has been done in my free time and therefore it's not related to my current company in any way.

Potential intruders are in what military strategists call "the position of the interior": the defender has to defend against every possible attack, while the attacker has to find only one weakness.
Bruce Schneier (01-05-2001)